Royal Security Fail: 'May I Speak To Kate?'

The oldest -- and most effective -- social engineering trick in the book remains getting on the phone and impersonating an insider. Ask Kate Middleton, the Duchess of Cambridge.

Want to obtain health information about a princess? Call a hospital, and pretend to be the queen.

Call it a joke, except that the setup worked. Earlier this week, a male-female DJ duo from an Australian FM radio show searched Google for the phone number for the Edward VII Hospital where the former Kate Middleton -- now known as the Duchess of Cambridge -- was receiving treatment for hyperemesis gravidarum, which is a severe form of morning sickness. Then the pair phoned, and in Australian-tinged accents, pretended to be Elizabeth II, Queen of Great Britain, and her son, Prince Charles.

After the female DJ -- posing as the queen -- asked how her granddaughter was doing with her "tummy bug," a nurse replied that she was sleeping and unable to receive a phone call. "Okay I'll just feed my little corgis then," said the supposed monarch. "When is a good time to come and visit her, because I'm the queen and I need a lift down there?"

To be clear, while the nurse -- in the course of a two-minute phone call -- revealed the comings and going of Kate's husband, she apparently divulged no details about the patient's medical condition. On the other hand, the nurse appeared to believe that she was indeed speaking with the queen, which means the hospital evidently hadn't trained its staff on the basics of safeguarding patient confidentiality, especially when on the phone.

Does no one remember their Kevin Mitnick? The surest path to obtaining desired information, especially if you're not authorized to have access to that information, is to get on the phone, pretend to be an insider, and politely request what you need. It's called a social-engineering attack, and it's one of the oldest tricks in the book, because it's cheap, easy and effective.

John Lofthouse, the hospital's chief executive, attempted to deflect the blame onto the callers. "This was a foolish prank call that we all deplore. We take patient confidentiality extremely seriously and are now reviewing our telephone protocols." In a video message later released by the hospital, he said, "Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery."

Not preparing staff to handle potential trickery of any sort -- from unscrupulous journalists, investigators, even spouses who might be stalking their former partners -- represents a clear failure by Lofthouse and the hospital's management team, and should serve as a lesson for any other organization charged with safeguarding information of any kind. Of course patient information may at times need to be relayed via phone. But the nurses that fielded the phone call didn't even perform the most basic of checks to verify their caller's identity, such as asking for a phone number so that it could be verified and the call returned. Equally, they might have approached the royal security detail that was likely camped down the hall to verify that their boss was indeed on the phone.

The hospital incident comes after the recent conclusion of the Leveson inquiry in Britain, which investigated whether the country's media should be subject to new regulations. The inquiry was kicked off by the phone wiretapping scandal that centered on Rupert Murdoch's News International. But even new regulations wouldn't prevent a determined social engineer -- or in this case, a pair of prankster Australian DJs -- from outsmarting their target.

To be fair to the hospital staff, however, they're far from the first people who have fallen victim to a social-engineering attack, and similar techniques have been used in high-profile cases involving Apple and Amazon, as well as HBGary Federal.

This week, meanwhile, the Internet Crime Complaint Center -- a joint effort between the FBI and the National White Collar Crime Center -- released a warning about a malware-driven scam that locks people's PCs, then tells people they have to pay a fine to the FBI to unlock it. This isn't the first time the government has released that warning, meaning that people keep falling for the ruse. Similarly, the continuing prevalence of tech support telemarketing scams suggests that the criminals involved are scamming enough people to make it economically worth their while.

How can people stop falling for these scams? Whether it's a hospital handling confidential information, or a cold call from someone who tells you that your PC is broken and they want to fix it, the response should be clear: Always verify a caller's identity before divulging sensitive information. If necessary, make the caller jump through hoops. Don't bow to pressure or apparent authority -- monarchs included. If in any doubt, take their phone number, hang up and phone your security team. Especially if the queen says she's calling.

It was a very foolish prank but it did prove that the hospital; was not trained properly. That is not the nurse's fault she did not do anything wrong in my opinion. Social engineering attacks are just that they prey on human behaviors and that is all this was. It a an elaborate social engineering skit for entertainment purposes. Did the DJ know that what they were doing was 'hacking' probably not, and thought it was just that a prank call. Hopefully the hospital will use this information and properly train their staff so as this dopes not happen again.

I agree with Paul CerratoGÇÖs comment: You canGÇÖt blame others for having poorly trained staff or allowing such a low-level setup to work. At the end of the day, everyone that has access to patient information should be trained on how to handle such information.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.